[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Problems configure access-lists
- To: openldap-software@openldap.org
- Subject: Problems configure access-lists
- From: Andreas Dahlen <andreas@dahlen.ws>
- Date: Tue, 16 Jan 2007 08:07:53 +0100
- Content-disposition: inline
- User-agent: Internet Messaging Program (IMP) H3 (4.2-cvs)
Hi!
I'm running OpenLDAP 2.3.19.
Our LDAP-structure is as below;
ou=admin,dc=example.dc=com
cn=admlocal (objectclass=person)
cn=admmaster (objectclass=simpleSecurityObject, organizationalRole)
ou=deps,dc=example.dc=com
dep=dep1 (objectclass=locDep)
cn=admin (objectclass=locAdmin)
locId=ID11 (objectclass=locData)
locId=ID12 (objectclass=locData)
locUsr=USR11 (objectclass=locUser)
.
.
.
dep=dep2 (objectclass=locDep)
cn=admuser (objectclass=locAdmin)
locId=ID21 (objectclass=locData)
locId=ID22 (objectclass=locData)
locUsr=USR21 (objectclass=locUser)
Objectclasses locDep, locAdmin, locData and locUser are locally
defined classes.
Everything works fine right now, but when I looked in sklapd.conf I
saw a major configuration error;
The access-lists states;
access to attrs=userPassword
by dn="cn=admmaster,ou=admin,dc=example,dc=com" write
by anonymous auth
by self write
by * none
access to *
by dn="cn=admlocal,ou=admin,dc=example,dc=com" write
by dn="cn=admmaster,ou=admin,dc=example,dc=com" write
by * write
I wants to tighthen this security but I can't figure out how I should
configure my access-lists.
* cn=admmaster,ou=admin,dc=example.dc=com
Should have full access to everything
* cn=admlocal,ou=admin,dc=example.dc=com
Should have full access to everything, except userPassword
* cn=<username>,dep=<dep>,ou=deps,dc=example.dc=com
Should have full access to everything below its dep, i.e.
- cn=admin,dep=dep1,ou=deps,dc=example.dc=com should have full access
to everything below dep=deop1,ou=deps,dc=example.dc=com and read on
dep=deop1,ou=deps,dc=example.dc=com.
- cn=admuser,dep=dep2,ou=deps,dc=example.dc=com should have full
access to everything below dep=dep2,ou=deps,dc=example.dc=com and read
on dep=dep2,ou=deps,dc=example.dc=com.
The name of (class) locAdmin can be different in different deps.
I hope that I've managed to describe what I wants to achive.
/Andreas
----------------------------------------------------------------
This message was sent using IMP (http://www.horde.org).
Running on PHP 5.1.2, Apache 2.0.55, Ubuntu Dapper.